Enhancement: Support OAuth 2.0 for RabbitMQ ConnectionFactory

[steve1337]

Enhancement

I would like to be able to use OAuth 2.0 to authenticate with RabbitMQ.

Background:

RabbitMQ supports OAuth 2.0 via the plugin: https://github.com/rabbitmq/rabbitmq-auth-backend-oauth2

Unfortunately the available implementations for ConnectionFactorties only support username and password authentication: https://docs.spring.io/spring-amqp/api/org/springframework/amqp/rabbit/connection/ConnectionFactory.html

Suggestion:

To add support I would like to implement a subclass of CachingConnectionFactory as Oauth2CachingConnectionFactory which could extend the behavior as follows:

1. Keep username and password configuration as is and add property for OAuth 2.0 endpoint (e.g. https://oauth-server:8080/auth/openid-connect/jwt)
2. Use username and password to aquire JWT from OAuth 2.0 backend via HTTP call
3. User JWT to authenticate with RabbitMQ

[garyrussell]

The proper place for this is an extension to the com.rabbitmq.client.ConnectionFactory, not the CachingConnectionFactory, which is simply a wrapper around the amqp-client factory.

If there is not an existing extension, I suggest you discuss this with the RabbitMQ engineers on the rabbitmq-users Google group.

[steve1337]

Hi Gary, thank you for the fast reply.

I think the com.rabbitmq.client.ConnectionFactory already supports authentication via OAuth 2.0 (JWT). I tested this by configuring the the Spring connection factory as follows:

  @Bean
  public ConnectionFactory connectionFactory() {
    CachingConnectionFactory connectionFactory = new CachingConnectionFactory("localhost");
    connectionFactory.setUsername("test");
    connectionFactory.setPassword("{HERE THE JWT}");
    return connectionFactory;
  }

Essentially the only part missing is getting the JWT from an OAuth backend and passing it to the connection factory as shown above.

Do you still think this use case should be handled by com.rabbitmq.client.ConnectionFactory?
If yes can you please give me a link to the Google group you mentioned? (Sorry I'm not familiar with google groups at all.)

[garyrussell]

Do you still think ...

Yes, this is the code in CachingConnectionFactory (actually AbstractConnectionFactory):

	public void setPassword(String password) {
		this.rabbitConnectionFactory.setPassword(password);
	}

Just Google rabbitmq-users google group.

[steve1337]

Okay thanks that makes it clear. I will address my question / feature request with the RabbitMQ engineers.

Should I leave this issue open for a potential pull request of an update of https://github.com/rabbitmq/rabbitmq-java-client once I added an extension or should I close it and open another issue later?

[garyrussell]

It depends on which version the feature is added to; we won't be able to bump to a new minor release (e.g. 5.10) until our next release (2.3).

Closing this for now.

[acogoluegnes]

@steve1337 You should have a look at the documentation: https://www.rabbitmq.com/api-guide.html#oauth2-support

It's a matter of setting a CredentialsProvider on the RabbitMQ client's ConnectionFactory (instead of username/password).

This was introduced in 5.8.0 (December 2019).

[garyrussell]

Thanks @acogoluegnes

And then

  @Bean
  public ConnectionFactory connectionFactory() {
    com.rabbitmq.client.ConnectionFactory connectionFactory = new ...
    return new CachingConnectionFactory(connectionFactory);
  }

[garyrussell]

Reopened - we should add setCredentialsProvider on the RabbitConnectionFactoryBean.